The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Source Definition: CVE-2023-38408 at MITRE
One should be cautious while using SSH agent forwarding. If possible, refrain the forwarding of SSH (in SSH client) agent to untrusted servers. Considering the potential risks associated with CVE-2023-38408 one should evaluate the security risk and enable the ssh agent forwarding only if target environment like GitHub or remote servers are trustworthy.
Most of Linux distro vendors have not released patches yet for addressing this vulnerability hence there is workaround which I found for mitigating this vulnerability is that to disable the SSH agent forwarding in SSH client Linux machines which is applicable to all Linux distro such as Ubuntu, Red Hat, Suse, CentOS, Oracle Linux machines as OpenSSH is a Posix service for all Linux distros.
By default, SSH agent forwarding is disable in most of Linux OSs, but if you want to check whether ssh agent forwarding is disabled or not run below command for checking it:
root@charanjit-ubuntu:~# ssh -G localhost | grep forwardagent
forwardagent no
root@charanjit-ubuntu:~#
Alternatively you can also run this command echo “$SSH_AUTH_SOCK” to check if ssh agent forwarding is enabled you may find similar output as below in case it is enabled in your Linux server:
$ echo “$SSH_AUTH_SOCK”
# Print out the SSH_AUTH_SOCK variable
> /tmp/…
If you find it is enabled change the ForwardAgent value yes to no in file /etc/ssh/ssh_config:
root@charanjit-ubuntu:~# egrep “ForwardAgent” /etc/ssh/ssh_config
ForwardAgent no
root@charanjit-ubuntu:~#
Note: This setting will be implemented on the fly, so you need not to restart any services. Also, this setting will be applicable on ssh client service not on ssh server daemon or service. Second thing ensure you should only configure /etc/ssh/ssh_config file not /etc/ssh/sshd_config file as both files usage are different first is used for ssh client configuration and latter used for ssh server configuration.
Charanjit is passionate about automating tasks and improving processes. He uses tools like Terraform and Azure DevOps to build and manage cloud infrastructure and streamline deployment. He also enjoys using Shell scripts and Ansible playbooks to make systems run more efficiently.
In his free time, Charanjit enjoys learning about new technologies and sharing his knowledge through his blog. When he’s not working, he likes listening to music, having a cup of coffee, and relaxing in nature.
You can connect with Charanjit on Twitter, Facebook, LinkedIn, or email him at charanjit.cheema@cjcheema.com.
- How to Deploy Docker Containers with NGINX on AWS EC2 Using Ansible and GitHub Actions - April 26, 2025
- No More DynamoDB! Use Native S3 locking for Terraform State - February 7, 2025
- How to Bring and Manage Manually Created AWS Resources Under Terraform Management - January 31, 2025